130 likes | 279 Vues
Why WAPPLES?. 2009. 7. 21. Originality (1/3). WAPPLES versus other Web Application Firewalls(WAFs). WAPPLES. Strong Points. Fundamentally Unique Concept. In Korea, WAPPLES holds #1 WAF m arket share 、 over 60%!!. Higher Security Level ex) Can detect altered/unknown attacks.
E N D
Why WAPPLES? 2009. 7. 21
Originality (1/3) WAPPLES versus other Web Application Firewalls(WAFs) WAPPLES Strong Points Fundamentally Unique Concept In Korea, WAPPLESholds #1 WAF market share、 over 60%!! Higher Security Level ex) Can detect altered/unknown attacks COCEP Engine performs Logic Analysis + Positive/negative Security by rules Ease of Use ex) No need for manual update Misdetection to 0% Other WAFs Cannot detect altered/unknown attack Pattern matching based on IPS/Network engine High cost to maintain ex) security level is in proportion to the number of patterns Possibility for misdetection Misdetection can cause service suspension
Originality (2/3) WAPPLES is FUNDAMENTALLY DIFFERENT! • After gaining extensive experience in developing IDS, Penta has found some critical weak points in the pattern matching method: • Misdetection and impossible deployments • Management difficulties • In order to overcome these weak points, a whole new architecture with higher security level, lower managing cost, and no misdetection was developed. • WAPPLES has a unique Logic Analysis Engine (COCEP engine) to detect web attacks.(WAPPLES also supports pattern methods with COCEP engine in order to meet customers’ desire)
Originality (3/3) COCEP Engine(Logic Analysis Engine) Diagram
Features Strong points of Logic Analysis against Pattern Matching • Higher Security • Extremely low possibility of false positive • Accurate detection against modified attacks. • Higher Performance • No additional system load by inputting new patterns. • Generally, more than 3000 patterns lead to low system performance. • No difference in performance, in both test environment and real operation environment. • Ease of Use and Less Maintenance • Installation without(or with minimal) changes in server and network settings is possible. • Extremely little managing burden of administrator. • Low operation cost – receives not signature update service but S/W update service.
COCEP Engine Process – SQL Injection Rule • WAPPLES’s SQL Injection Rule acts as below. • Inspect whether there is any SQL reserved word • Check SQL phrase including the reserved word in step (1) is appropriate to SQL grammar • Evaluate whether the SQL phrase is effective as a attack Ex) SQL phrase including meaningless bypass code like [aaa’ or ‘1’=’1] SQL phrase accessing vulnerable procedures or functions • Positive Effects • WAPPLES can detect an infinite number of modified SQL injections. • WAPPLES does not need a new pattern if only attack is the same type. • Just because SQL phrase include a few SQL reserved words, WAPPLES does not judge it an attack. Extremely low possibility of false positive
COCEP Engine Process – Suspicious Access Rule • WAPPLES’s Suspicious Access Rule acts as below. • Send back validation request(HTTP request) to suspicious client accessing to web server • Deny the client’s access, when it reply abnormal response. Validation request is needed to check the client’s capability for HTTP manipulation. - Whether it can understand HTTP request header or not - Whether it can process(create, update, and so on) a cookie or not - Whether it can send a response for HTTP status request • Positive Effects • WAPPLES can detect an unknown robot or scanner without adding new patterns.
COCEP Engine Process – 3 Contents Filtering Rules • WAPPLES has 3 contents filtering rules against privacy leakage; • Privacy input filtering • Privacy output filtering • Privacy file filtering These rules inspect http message not by simple pattern matching, but by evaluation of message data. They can identify credit card number, e-mail, mobile number, bank account number, address and so on. Ex) For credit card number, validate checksum by Luhn algorithm(ISO/IEC 7812-1:2006). • Positive Effects • Accurate detection and control of privacy data • WAPPLES can detect various type of privacy data (High extensibility)
Example of False-Positive and Misdetection (1/5) • Signature(Patterns) Sample related to SQL Injection • Ex) In case that a HTTP message includes string “… having a good time. Seoul ==> Tokyo …” • Limitation • The use of the ‘having‘ is common in a Website. The regular expression that detects “the having” results in too many false positives. • This is a selection of signatures from Product ‘S’ of Company ‘I’ . • Below ‘part’ means substring-searching target and ‘rgxp’ means a regular expression describing a certain amount of text. • After finding a string of ‘part’, ‘rgxp’ is applied.
Example of False-Positive and Misdetection (2/5) • Signature Sample of ‘SQL Injection WHERE Statement Manipulation’ • Ex) In case that a HTTP message includes string “or ‘b’=‘b” • Limitation • If SQL Injection source is modified from ‘a’=‘a’ to ‘b’=‘b’, the regular expression cannot detect the modified SQL Injection attack.
Example of False-Positive and Misdetection (3/5) • Signature Sample related to DDoS attacks • Ex) In case that HTTP URI includes “yahoo.co.jp/movie/deadoralive/default.jsp” • Limitation • The use of the ‘alive‘ is common in Website. When DDoS signatures are turned on, the regular expression that just detects the ‘alive’ results in too many false positives.
Example of False-Positive and Misdetection (4/5) • Signature Sample related to Privacy(Credit Card Number) Filtering • Ex) For a credit card number “4254361480110015” • 4254361480110016 : Detected in spite of invalid card number False-Positive • 4254-3614-8011-0015-1234-5678 : Detected in spite of not credit card number False-Positive • 4254_3614_8011_0015 : Credit card number, but not in pattern Misdetection • Limitation • Although Credit Card Number is invalid or even not Credit Card Number, the regular expression filters it. • If Credit Card Number’s format is changed, it can not detect at all.
Example of False-Positive and Misdetection (5/5) • Signature Sample of ‘Buffer Overflow Attack Attempt’ • If the Buffer Overflow Attack is modified like “abcdabcd…abcd”, the regular expression cannot detect it. • Signature is made to cope with some scanners and robots. So, it leads to many misdetection. • Limitation • It is very difficult to express an infinite number of cases as one pattern. • To add many single patterns gives additional system load to web application firewall.